There are still privacy concerns with GNOME Software

I recently read a thread on reddit titled “A Privacy & Security Concern Regarding GNOME Software” that addressed a few issues regarding the fwupd daemon. The developer eventually responded and was able to justify and debunk most of the claims made against his software. However, that prompted me to have a closer look at the traffic originating from GNOME Software.

On Arch Linux, the fwupd plugin is an optional dependency of GNOME Software so that part did not concern me. I did however notice a lot of outbound traffic headed to the IP address 8.43.85.9. This IP address is owned by Red Hart and hosts a service called “GNOME Open Desktop Ratings” on behalf of the GNOME Project.

As the name implies, this service hosts and displays reviews submitted through GNOME Software. Looking at a few of the submitted reviews I noticed that they do contain quite a bit of information I would not knowingly hand out myself. In addition to the actual app review, the following data is retrieved from your system and delivered to odrs.gnome.org:

  • your IP adress (by connecting to the service)
  • user_display (your full name)
  • user_hash (a hash of your machine-id and username)
  • locale
  • distro

Source: gs-plugin-odrs.c

I could not find a privacy policy for odrs.gnome.org, so exactly how the GNOME Project manages the collected data is unknown to me.

Surely GNOME Software will notify me in detail as to what data it’s collecting and how it will be used before accepting my application review? To find out if that was indeed the case, I downloaded the latest Fedora release to get a build with GNOME Software the way Red Hat intended.

Submitting a review from GNOME Software
Submitting a review from GNOME Software on Fedora 27.

As you can tell from the image above, all I’m entering is a short summary and my actual review. Upon hitting the post button my review was immediately accepted without any further dialog. GNOME Software offered no information as to what data was being collected from my system, nor was I made aware that the data would be submitted to, and become publicly available on odrs.gnome.org. The image below shows my review as seen on odrs.gnome.org:

Review on odrs.gnome.org
My icecat review available on odrs.gnome.org.

I kind of expected this behavior so I registered a local user account with the name of Peter Pan as I had no intention of having odrs.gnome.org dox me that easily ;-) I don’t much appreciate this kind of behavior from any software, even if I happened to post the application review of my own free will. In the end, I was never made aware of, or agreed to any personal data being collected from my system and sent to an external service.

If you still want to use GNOME Software on Arch Linux I would recommend disabling the review system altogether using ABS.

--- gnome-software/repos/community-x86_64/PKGBUILD
+++ rebuilds/gnome-software/community-x86_64/PKGBUILD
@@ -30,7 +30,8 @@
   arch-meson $pkgbase build \
     -D enable-rpm=false \
     -D enable-ubuntuone=false \
-    -D enable-ubuntu-reviews=false
+    -D enable-ubuntu-reviews=false \
+    -D enable-odrs=false
   ninja -C build
 }

Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed or find me on Keybase.

Related posts